---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: calico
  namespace: kube-system
rules:
  - apiGroups: [""]
    resources:
      - namespaces
    verbs:
      - get
      - list
      - watch
  - apiGroups: [""]
    resources:
      - pods/status
    verbs:
      - update
  - apiGroups: [""]
    resources:
      - pods
    verbs:
      - get
      - list
      - watch
  - apiGroups: [""]
    resources:
      - nodes
    verbs:
      - get
      - list
      - update
      - watch
  - apiGroups: ["extensions"]
    resources:
      - thirdpartyresources
    verbs:
      - create
      - get
      - list
      - watch
  - apiGroups: ["extensions"]
    resources:
      - networkpolicies
    verbs:
      - get
      - list
      - watch
  - apiGroups: ["projectcalico.org"]
    resources:
      - globalbgppeers
    verbs:
      - get
      - list
  - apiGroups: ["projectcalico.org"]
    resources:
      - globalconfigs
      - globalbgpconfigs
    verbs:
      - create
      - get
      - list
      - update
      - watch
  - apiGroups: ["projectcalico.org"]
    resources:
      - ippools
    verbs:
      - create
      - get
      - list
      - update
      - watch
  - apiGroups: ["alpha.projectcalico.org"]
    resources:
      - systemnetworkpolicies
    verbs:
      - get
      - list
  - apiGroups:
    - policy
    resourceNames:
    - privileged
    resources:
    - podsecuritypolicies
    verbs:
    - use
